You might have already heard about Log4j vulnerability and 2.15.0 version which was released to fix the vulnerability. It seems the 2.15.0 version didn’t fix the vulnerability fully as there were some scenarios in which JNDI can be exploited by sending malicious payloads. So the Apache Log4j has again come out with a new version 2.16.0 which disables access to JNDI by default. if you are every Log4j 2.x.x in your project, upgrade 2.16.0 with immediate effect.
What does Log4j version 2.16.0 does?
- Disables access to JNDI by default
- Message lookups feature has been completely removed
- JNDI lookups can be still enabled in the configuration
There are some mitigation techniques that can be done to prevent JNDI lookup (This is only for Log4j 2.x versions and not for Log4j 1.x versions)